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DETAILED ACTION 

This action is in response to the papers filed 1/12/2004. Claims 1-30 were 
received for consideration. No preliminary amendments for the claims were filed. 
Currently claims 1-30 are under consideration. 



Information Disclosure Statement 

The information disclosure statement (IDS) submitted on 1-12/2004 is in 
compliance with the provisions of 37 CFR 1 .97. Accordingly, the information disclosure 
statement is being considered by the examiner. 

Claim Rejections - 35 USC § 101 

35 U.S.C. 101 reads as follows: 

Whoever invents or discovers any new and useful process, machine, manufacture, or composition of 
matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the 
conditions and requirements of this title. 

Claims 21-30 rejected under 35 U.S.C. 101 because the claimed invention is 
directed to non-statutory subject matter. The "computer operable media " may be 
"downloaded via the Internet or other computer network" according to the specification 
page 28 lines 23-24. This subject matter is not limited to a process, machine, 
manufacture, or a composition of matter. Instead, it includes a form of energy. Energy 
does not fall within a statutory category since it is clearly not a series of steps or acts to 
constitute a process, not a mechanical device or combination of mechanical devices to 
constitute a machine, not a tangible physical article or object which is some form of 
matter to be a product and constitute a manufacture, and not a composition of two or 



Application/Control Number: 10/755,835 s Page 3 

Art Unit: 2132 

more substances to constitute a composition of matter. Note amending claim 10 to 
recite to be a "computer storage medium" instead of a "computer readable medium" 
would overcome this rejection. 

Claim Rejections - 35 USC §112 

The following is a quotation of the second paragraph of 35 U.S.C. 112: 

The specification shall conclude with one or more claims particularly pointing out and distinctly 
claiming the subject matter which the applicant regards as his invention. 

Claims 9, 19 and 29 are rejected under 35 U.S.C. 112, second paragraph, as 
being indefinite for failing to particularly point out and distinctly claim the subject matter 
which applicant regards as the invention. Claims 9, 19 and 29 recites the limitation "the 
third computer". There is insufficient antecedent basis for this limitation in the claim. 

Claim 9, 19 and 29 also are indefinite because if the third computer system does 
not have access to the authentication data how is it retrieving the authentication data 
from an authentication server and storing the authentication data on a cache associated 
with the third computer. 

Claim Rejections - 35 USC § 102 

The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that 
form the basis for the rejections under this section made in this Office action: 

A person shall be entitled to a patent unless - 

(b) the Invention was patented or described in a printed publication in this or a foreign country or in public 
use or on sale in this country, more than one year prior to the date of application for patent in the United 
States. 
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Claims 1-4, 6-14, 16-24, and 26-30 are rejected under 35 U.S.C. 102(b) as being 
anticipated by Giles et al. (U.S. Patent # 6,986,047). Giles teaches with respect to claim 
1 and 21, a method of handling client state information, said method comprising: 
receiving, at a first computer system (see figure 3 element 310 origin web server), a first 
request from a second computer system (see figure 3 element 305 Client), wherein the 
first request is received over a computer network (see column 3 lines 36-51 and column 

7 lines 10-62 i.e. a client sends a HTTP request); identifying access control data 
pertaining to the second computer system (see figure 1 1 column 7 lines 10-62 i.e. the 
origin web-server creates a valid cookie); creating an encrypted value based upon the 
access control data (see column 8 lines 52-66); and storing, on the second computer 
system, a state management data (see column 9 lines 11-12 i.e. the client cookie may 
be present in the HTTP request by the client) structure that includes an access control 
identifier (see column 8 line 66 - column 9 line 8) and the encrypted value (see column 

8 lines 52-66). 

With respect to 2, 12 and 22, authenticating a user of the second computer 
system (see column 7 lines 10-62 i.e. user ID and password promt); and caching, on the 
first computer system, security attributes of the authenticated user that are too sensitive 
to be included in the state management data structure, wherein the cached security 
attributes are indexed by the encrypted value and wherein cached security attributes 
are adapted to re-establish a security context of the authenticated user (column 8 line 
52 - column 9 line 8 i.e. the key kc shared by the semi-trusted web-server and the orgin 
web-server). 
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With respect to 3, 13 and 23, wherein the access control identifier is selected 
from the group consisting of the access control data (see column 8 line 52 - column 9 
line 8 i.e. the access control identifier is the encrypted part of the access control data 
(cookie)) and a unique identifier used by the first computer system to map to the access 
control data stored on an authentication server (column 9 line 9 - column 9 line 55 i.e. 
the cookie is decrypted by using the domain identifier and the key identifier to select an 
appropriate decryption key). 

With respect to 4, 14 and 24, wherein at least one field included in the access 
control data is selected from the group consisting of: a domain, a maximum age, a path, 
a port, an authentication strength value, an authenticating server identifier, and an 
access control privilege identifier (column 8 line 52 - column 9 line 8 i.e. a global time 
out value valid for the whole domain (1 1 30) which is usually a fixed offset added to the 
creation time; and a cookie inactivity time-out (1 135) which is a fixed offset added to the 
cookie creation time; and the domain name of the origin web-server). 

With respect to 6, 16 and 26, storing the encrypted value at the first computer 
system in response to receiving the first request (see column 7 line 10-62 i.e. at step 
800 a client sends an HTTP request and after step 820 the orgin web-server creates a 
cookie according to figure 1 1 and column 8 line 52 - column 9 line 8 this cookie is 
digital signed and encrypted with key kc); receiving a second request from the second 
computer system; retrieving the state management data structure from the second 
computer system, the retrieving performed in conjunction with the reception of the 
second request; and comparing the encrypted value included in the retrieved state 
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management data structure with the encrypted value stored at the first computer system 
(column 9 line 9 - column 9 line 55). 

With respect to 7, 17 and 27, re-establishing an authenticated user's security 
context by using the encrypted value as a key to retrieve the access control data 
cached on the first computer system (column 8 line 52 - column 9 line 55). 

With respect to 8, 9, 18, 19, 28 and 29, authenticating a user of the second 
computer system, wherein the identifying, creating, and storing are performed in 
response to successfully authenticating the user (column 7 line 10-62). 

With respect to 10, 20 and 30, receiving, at the first computer system, a second 
request from the second computer system; retrieving the state management data 
structure from the second computer system, the retrieving performed in conjunction with 
the reception of the second request (column 9 line 9-55 i.e. process of validating a 
client cookie and returning client credentials in case the cookie is valid as part of the 
correlation procedures. The client cookie may be present in the HTTP request by the 
client); determining that the retrieved state management data structure is stale based on 
a timestamp included in the state management data structure (see column 9 line 1 1-55 
i.e. at step 1210 the global time-out and inactivity time-out fields are checked); and 
authenticating a user of the second computer system in response to the determination 
(see column 9 line 1 1 - column 1 0 line 31 ). 

With respect to claim 11, a first information handling system comprising: one or 
more processors; a memory accessible by the processors (see column 3 lines 36-51 i.e. 
it is inherent that a computer has a processor and a memory); a network interface 
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connecting the information handling system to a computer network (see column 3 lines 
36-51); a tool for handling client state information, the tool including software effective to 
(see column 4 lines 21-41): receiving, at a first computer system (see figure 3 element 
310 origin web server), a first request from a second computer system (see figure 3 
element 305 Client), wherein the first request is received over a computer network (see 
column 3 lines 36-51 and column 7 lines 10-62 i.e. a client sends a HTTP request); 
identifying access control data pertaining to the second computer system (see column 7 
lines 10-62 and column 8 line 52 - column 9); creating an encrypted value based upon 
the access control data (see column 8 line 52 - column 9 line 55 i.e. key kc); and 
storing, on the second computer system, a state management data (i.e. cookie) 
structure that includes an access control identifier and the encrypted value (see column 
7 lines 10-62 and column 8 line 52 - column 9 line 55 i.e. the client cookie may be 
present in the HTTP request by the client). 



Claim Rejections - 35 USC § 103 

The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

Claim 5, 15, and 25 are rejected under 35 U.S.C. 103(a) as being unpatentable 

over Giles et al. (U.S. Patent # 6,986,047) in view of Schneier " Applied Crytography: 

Protocols, Algorithms, and Source Code in C". Giles teaches everything with respect to 
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claim 1 above but with respect to claim 5 teaches digital signing the access control date 
(i.e. cookie) and encrypting the hash value (see column 8 line 52 - column 9 line 55 i.e. 
the fields of the first part are encrypted using the key Kc). Giles do not explicitly teach 
hashing the access control data using a hashing algorithm. Schneier teaches that digital 
signatures protocols are often implemented with one-way hash functions (Schneier 
page 38). It would have been obvious at the time the invention was made to a person 
having ordinary skill in the art to which said subject matter pertains to have use a digital 
signature protocols that used a one-way hash functions to save time. Therefore one 
would have be motivated to have used a use a digital signature protocols that used a 
one-way hash functions to authenticate save and provide message integrity (Schneier 
page 38). 

Conclusion 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Devin Almeida whose telephone number is 571-270- 
1018. The examiner can normally be reached on Monday-Thursday from 7:30 A.M. to 
5:00 P.M. The examiner can also be reached on alternate Fridays from 7:30 A.M. to 
4:00 P.M. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Gilberto Barron, can be reached on 571-272-3799. The fax phone number 
for the organization where this application or proceeding is assigned is 571-273-8300. 
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Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). 



Devin Almeida 
Patent Examiner 
2/27/2007 




